Cyber Incident Victim: Міністерство освіти і науки України
Date:
Jan 2022
Location:
Ukraine
Summary
Multiple Ukrainian government websites, including the Ministry of Education and Science, were compromised and defaced through exploitation of a critical vulnerability in an outdated content management system, leading to false claims of citizen data breaches. Attackers posted multilingual warning messages with grammatical inconsistencies, prompting Ukrainian cyber-police to confirm no actual data compromise occurred while attributing the incident to a known authentication flaw. The incident, potentially linked to broader tensions, involved disrupted services during restoration efforts, with researchers suspecting involvement of a Belarus-linked threat group and authorities investigating possible connections to compromised Polish military databases.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 14, 2022, multiple Ukrainian government websites were compromised and defaced, including those of the Ministry of Foreign Affairs, Ministry of Agriculture, Ministry of Education and Science, Ministry of Security and Defense, and the Cabinet of Ministers' online portal. At least 15 public institution websites displayed unauthorized messages in Ukrainian, Russian, and Polish languages, falsely claiming that all citizen data uploaded to government networks had been compromised. The attackers exploited a critical vulnerability (CVE-2021-32648) in outdated October CMS software, which enabled unauthorized password resets and system access. Ukrainian cyber-police immediately contradicted the defacement notices, confirming no actual personal data breaches occurred. IT teams took affected websites offline for restoration, with some remaining inaccessible during recovery operations. The defaced pages contained grammatical inconsistencies that investigators suggested could indicate Russian involvement or the use of automated translation tools like Yandex.
Ukrainian authorities attributed the attacks directly to the exploitation of the October CMS vulnerability while restoration efforts continued. Concurrently, Poland's Ministry of National Defense reported compromises of military databases potentially linked to the same incident. Ukrainian cyber-police clarified this incident was separate from their recent arrest of a ransomware gang, with no attribution yet established for the website defacements. Researchers investigating the incident noted possible connections to the GhostWriter advanced persistent threat group, which has historical ties to Belarusian interests. Ukrainian officials maintained that investigations were ongoing but emphasized the attacks occurred amid heightened geopolitical tensions with Russia. No further technical specifics about data access or additional compromised systems were disclosed beyond the confirmed website defacements and subsequent takedowns.